← Back to context

Comment by Barrin92

10 days ago

>but don't lose sight of what LLMs can do off the leash.

there is no such thing as an LLM "off the leash", it's not a dog, and even if it was a dog the person responsible is the owner. What is this bizarre attitude to a piece of software that makes people think existing laws don't apply?

If your LLM agent hacks a bank, you have hacked a bank, you will go to prison and that's entirely sufficient. People have been hacking banks for decades now, it didn't require the government to regulate C compilers and Emacs.

This is overly reductive.

If your web browser hacks a bank, but you didn't know and didn't expect it to, have you hacked a bank? Why is an LLM different? What happened to mens rea?

  • A web browser can't decide to hack a bank anymore than a LLM can. Neither have any understanding of what a bank is or any will to act on their own. The person who instructs/uses a web browser to hack a bank (even if it's someone else's browser) commits the crime.

    • I think pretty obviously if the user instructs the computer to hack the bank then they are guilty of hacking the bank, I don't think that's the crux of the issue.

      The crux of the issue is what if the LLM decides on its own to hack the bank while the user isn't watching? Is the user then guilty of hacking the bank or not? I think it's pretty obvious that the user in this scenario is at least less culpable of hacking the bank than they would be if they had deliberately instructed it.

      LLMs functionally can decide to act on their own. You might say that they're not actually "deciding" anything, because it's just a perfectly mechanical unfolding of chains of tokens triggering actions on the computer, which doesn't count as "deciding". But again I don't think that's the crux of the issue.

      4 replies →

  • We'll only know when that gets tested in court, but I'd be willing to bet the answer will be: yes, you have hacked a bank. I find it very hard to believe the justice system would let someone off on some technicality around intention and agents after a serious bank hack.

  • > If your web browser hacks a bank, but you didn't know and didn't expect it to, have you hacked a bank?

    Depends, as usual. Intent can matter, but depends on the statute (and jurisdiction) in question.

    • This is the is-ought fallacy.

      I'm not asking you to describe the existing laws. I'm pontificating on how they ought to be.

There is a baseline level of competence and motivation needed to commit crimes.

Decades ago few people would walk into a record store and steal CDs. Napster came along smashing all barriers entry, and it became weird not to steal music.

Its not really the legality that matters, it's the barrier on one hand and the cognitive ability on the other. Drop both and you get huge spikes in crime.